Commit graph

561 commits

Author SHA1 Message Date
Benjamin Yule Bädorf d280b29394
obs-portal: init obs-portal on nachtigall
This follows the official installation instructions at https://github.com/openbikesensor/portal/blob/main/docs/production-deployment.md

Unfortunately, the postgres database needs to have postgis enabled, so
we'll have to start a second instance. To stay close to the official
deployment instructions, this is running in docker.

The secrets were taken from the old installation instance. During
initial installation, we'll need to import data from the old instance
into this one, which might take a while.
2024-04-27 22:45:07 +02:00
Benjamin Yule Bädorf c49e47dc30
Add .editorconfig file with tabs as indentation
Just use tabs guys
2024-04-27 20:47:07 +02:00
teutat3s 5e34acd765
Merge pull request 'Revert "matrix-appservice-irc: remove unneeded syscall override"' (#171) from fix/matrix-appservice-irc into main
Reviewed-on: pub-solar/infra#171
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2024-04-27 13:50:46 +00:00
teutat3s 2fa3ccf28e
Revert "matrix-appservice-irc: remove unneeded syscall override"
This reverts commit a11255b433.
2024-04-27 01:44:20 +02:00
teutat3s 505d0f34ea
Merge pull request 'nachtigall: synapse security update' (#153) from chore/synapse-security-update into main
Reviewed-on: pub-solar/infra#153
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-26 20:48:19 +00:00
teutat3s ddc5c65bf7
chore: bump flake inputs
• Updated input 'home-manager':
    'github:nix-community/home-manager/d6bb9f934f2870e5cbc5b94c79e9db22246141ff?narHash=sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ%3D' (2024-04-06)
  → 'github:nix-community/home-manager/86853e31dc1b62c6eeed11c667e8cdd0285d4411?narHash=sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM%3D' (2024-04-25)
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/9e7c20ffd056e406ddd0276ee9d89f09c5e5f4ed?narHash=sha256-olEWxacm1xZhAtpq%2BZkEyQgR4zgfE7ddpNtZNvubi3g%3D' (2024-04-19)
  → 'github:lnl7/nix-darwin/230a197063de9287128e2c68a7a4b0cd7d0b50a7?narHash=sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8%3D' (2024-04-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/bc194f70731cc5d2b046a6c1b3b15f170f05999c?narHash=sha256-YguPZpiejgzLEcO36/SZULjJQ55iWcjAmf3lYiyV1Fo%3D' (2024-04-19)
  → 'github:nixos/nixpkgs/dd37924974b9202f8226ed5d74a252a9785aedf8?narHash=sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds%3D' (2024-04-24)
• Updated input 'unstable':
    'github:nixos/nixpkgs/5c24cf2f0a12ad855f444c30b2421d044120c66f?narHash=sha256-XtTSSIB2DA6tOv%2Bl0FhvfDMiyCmhoRbNB%2B0SeInZkbk%3D' (2024-04-19)
  → 'github:nixos/nixpkgs/572af610f6151fd41c212f897c71f7056e3fb518?narHash=sha256-cfh1hi%2B6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U%3D' (2024-04-23)
2024-04-25 19:21:05 +02:00
teutat3s a11255b433
matrix-appservice-irc: remove unneeded syscall override
PR was merged and backported:
https://github.com/NixOS/nixpkgs/pull/271740
2024-04-25 12:37:58 +02:00
teutat3s d62b6cda92
Merge pull request 'ci: update forgejo runner to fix cache' (#152) from ci/update-forgejo-runner into main
Reviewed-on: pub-solar/infra#152
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-23 18:18:39 +00:00
teutat3s c580fe0fbb
ci: prevent flake inputs from GC as well 2024-04-23 19:10:20 +02:00
teutat3s 60aef1d038
ci: prevent nix garbage collection 2024-04-23 16:00:16 +02:00
teutat3s fa9ce9d435
gitea-actions-runner: don't run as systemd DynamicUser
to enable usage of cache outside of /var/lib/private
2024-04-23 15:42:33 +02:00
teutat3s 9541e5029e
flora-6: move forgejo-runner cache directory to /data 2024-04-23 15:12:11 +02:00
teutat3s c4d0d34807
ci: revert cache-nix-action to version 4.0.3 2024-04-23 15:12:06 +02:00
teutat3s d5fe65b60d
ci: disable cachix daemon, spams logs with
[2024-04-22 23:46:26][Info] Skipping /nix/store/w2zp8k8yy2avv5r92w0cpq9aixkir2sp-LocalSettings.php
...
2024-04-23 15:11:59 +02:00
teutat3s 0e7dc95250
ci: remove broken purge config from check workflow 2024-04-23 01:42:04 +02:00
teutat3s c86e22b292
ci: update forgejo-runner to version 3.4.1
https://github.com/NixOS/nixpkgs/pull/301383
2024-04-23 00:38:53 +02:00
Hendrik Sokolowski 4992819742
Merge pull request 'set pruneOpts for restic backups to daily 7, weekly 4, monthly 3' (#151) from feature/restic-backup-retention into main
Reviewed-on: pub-solar/infra#151
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-04-22 19:38:21 +00:00
Hendrik Sokolowski a9411d05a8
set pruneOpts for restic backups to daily 7, weekly 4, monthly 3 2024-04-22 20:06:49 +02:00
teutat3s e8530caf1d
Merge pull request 'ci: update nix-quick-install-action, cache-nix-action, cachix-action' (#150) from chore-update-ci into main
Reviewed-on: pub-solar/infra#150
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-22 15:19:36 +00:00
teutat3s 7c492e7391
Merge pull request 'chore: forgejo security update, update matrix-synapse et al.' (#149) from chore-update-flake into main
Reviewed-on: pub-solar/infra#149
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-22 15:18:33 +00:00
teutat3s a0c6f0dc08
ci: fix cache-nix-action, use new config syntax 2024-04-21 20:17:03 +02:00
teutat3s 46c7c9ecb1
ci: update nix-quick-install-action, cache-nix-action,
cachix-action
2024-04-21 19:58:58 +02:00
teutat3s fb4004e9f0
chore: update flake inputs
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/36524adc31566655f2f4d55ad6b875fb5c1a4083?narHash=sha256-sXcesZWKXFlEQ8oyGHnfk4xc9f2Ip0X/%2BYZOq3sKviI%3D' (2024-03-30)
  → 'github:lnl7/nix-darwin/9e7c20ffd056e406ddd0276ee9d89f09c5e5f4ed?narHash=sha256-olEWxacm1xZhAtpq%2BZkEyQgR4zgfE7ddpNtZNvubi3g%3D' (2024-04-19)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/90055d5e616bd943795d38808c94dbf0dd35abe8?narHash=sha256-ZEfGB3YCBVggvk0BQIqVY7J8XF/9jxQ68fCca6nib%2B8%3D' (2024-04-13)
  → 'github:nixos/nixpkgs/bc194f70731cc5d2b046a6c1b3b15f170f05999c?narHash=sha256-YguPZpiejgzLEcO36/SZULjJQ55iWcjAmf3lYiyV1Fo%3D' (2024-04-19)
• Updated input 'unstable':
    'github:nixos/nixpkgs/cfd6b5fc90b15709b780a5a1619695a88505a176?narHash=sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM%3D' (2024-04-12)
  → 'github:nixos/nixpkgs/5c24cf2f0a12ad855f444c30b2421d044120c66f?narHash=sha256-XtTSSIB2DA6tOv%2Bl0FhvfDMiyCmhoRbNB%2B0SeInZkbk%3D' (2024-04-19)
2024-04-21 19:28:02 +02:00
teutat3s 3030b0f84d
Merge pull request 'flora-6: add wg-ssh to ignored systemd-wait-online interfaces' (#148) from flora-6/fix-network-wait-online into main
Reviewed-on: pub-solar/infra#148
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-14 21:53:33 +00:00
teutat3s c07d24f6a7
flora-6: add wg-ssh to ignored interfaces
for systemd-wait-online to start successfully
2024-04-14 23:22:53 +02:00
teutat3s 0f297c4711
Merge pull request 'chore: security update PHP, update element-web, misc updates' (#147) from chore-update-flake into main
Reviewed-on: pub-solar/infra#147
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-14 20:29:39 +00:00
teutat3s 679d9b236f
Merge pull request 'nginx: set worker_processes to number of CPU cores' (#146) from feat/nginx-tuning into main
Reviewed-on: pub-solar/infra#146
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-14 20:22:08 +00:00
teutat3s 78d5e5a4f0
chore: update flake inputs
❯ nix store diff-closures $OLD_CLOSURE $NEW_CLOSURE
cpupower: 6.1.84 → 6.1.86
element-web: 1.11.63 → 1.11.64, +148.0 KiB
element-web-wrapped: 1.11.63 → 1.11.64
initrd-linux: 6.1.84 → 6.1.86
linux: 6.1.84, 6.1.84-modules → 6.1.86, 6.1.86-modules, +24.3 KiB
linux-firmware: 20240312 → 20240410, +493.3 KiB
nixos-system-nachtigall: 23.11.20240410.b2cf36f → 23.11.20240413.90055d5
owncast: 0.1.2 → 0.1.3, -376.1 KiB
php: 8.2.17 → 8.2.18
php-bcmath: 8.2.17 → 8.2.18
php-bz2: 8.2.17 → 8.2.18
php-calendar: 8.2.17 → 8.2.18
php-ctype: 8.2.17 → 8.2.18
php-curl: 8.2.17 → 8.2.18
php-dom: 8.2.17 → 8.2.18
php-exif: 8.2.17 → 8.2.18
php-extra-init: 8.2.17.ini → 8.2.18.ini
php-fileinfo: 8.2.17 → 8.2.18
php-filter: 8.2.17 → 8.2.18
php-ftp: 8.2.17 → 8.2.18
php-gd: 8.2.17 → 8.2.18
php-gettext: 8.2.17 → 8.2.18
php-gmp: 8.2.17 → 8.2.18
php-iconv: 8.2.17 → 8.2.18
php-imap: 8.2.17 → 8.2.18
php-intl: 8.2.17 → 8.2.18
php-ldap: 8.2.17 → 8.2.18
php-mbstring: 8.2.17 → 8.2.18
php-mysqli: 8.2.17 → 8.2.18
php-mysqlnd: 8.2.17 → 8.2.18
php-opcache: 8.2.17 → 8.2.18
php-openssl: 8.2.17 → 8.2.18
php-pcntl: 8.2.17 → 8.2.18
php-pdo: 8.2.17 → 8.2.18
php-pdo_mysql: 8.2.17 → 8.2.18
php-pdo_odbc: 8.2.17 → 8.2.18
php-pdo_pgsql: 8.2.17 → 8.2.18
php-pdo_sqlite: 8.2.17 → 8.2.18
php-pgsql: 8.2.17 → 8.2.18
php-posix: 8.2.17 → 8.2.18
php-readline: 8.2.17 → 8.2.18
php-session: 8.2.17 → 8.2.18
php-simplexml: 8.2.17 → 8.2.18
php-soap: 8.2.17 → 8.2.18
php-sockets: 8.2.17 → 8.2.18
php-sodium: 8.2.17 → 8.2.18
php-sqlite3: 8.2.17 → 8.2.18
php-sysvsem: 8.2.17 → 8.2.18
php-tokenizer: 8.2.17 → 8.2.18
php-with-extensions: 8.2.17 → 8.2.18
php-xmlreader: 8.2.17 → 8.2.18
php-xmlwriter: 8.2.17 → 8.2.18
php-zip: 8.2.17 → 8.2.18
php-zlib: 8.2.17 → 8.2.18
searxng: ∅ → 0-unstable-2024-03-08, +15337.5 KiB
searxng-unstable: 2023-10-31 → ∅, -14965.6 KiB
source: +470.3 KiB
uwsgi: 2.0.23 → 2.0.24
zfs-kernel: 2.2.3-6.1.84 → 2.2.3-6.1.86
2024-04-14 22:09:37 +02:00
teutat3s c768203bed
nginx: set worker_processes to number of CPU cores
and set worker_connections to 1024

https://nginx.org/en/docs/ngx_core_module.html#worker_processes
https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2024-04-14 17:39:56 +02:00
teutat3s b0c466869e
Merge pull request 'wireguard: use IP addresses for wireguard endpoints' (#145) from fix/use-ip-for-wireguard into main
Reviewed-on: pub-solar/infra#145
Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2024-04-12 20:40:39 +00:00
teutat3s b6a54efd9a
fix: add comment with hostnames to wireguard peers 2024-04-12 22:36:17 +02:00
Benjamin Yule Bädorf 7e145040cc
wireguard: use IP addresses for wireguard endpoints
Otherwise the hostnames written to the /etc/hosts file are already
pointing at the wireguard IP-addresses, so they can never connect.
2024-04-12 22:31:28 +02:00
b12f 9d94b888ae
Merge pull request 'networking: add wireguard hosts to /etc/hosts' (#144) from wireguard/add-etc-hosts into main
Reviewed-on: pub-solar/infra#144
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-12 19:54:09 +00:00
teutat3s 8a9fe3b8fe
chore: update flake inputs
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d272ca50d1f7424fbfcd1e6f1c9e01d92f6da167' (2024-04-08)
  → 'github:nixos/nixpkgs/b2cf36f43f9ef2ded5711b30b1f393ac423d8f72' (2024-04-10)
• Updated input 'unstable':
    'github:nixos/nixpkgs/4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6' (2024-04-08)
  → 'github:nixos/nixpkgs/1042fd8b148a9105f3c0aca3a6177fd1d9360ba5' (2024-04-10)
2024-04-12 19:54:09 +00:00
teutat3s 8743ea7b0c
networking: add wireguard hosts to /etc/hosts
Also re-enable DNSSEC, it's reported fixed in systemd-resolved
2024-04-12 19:54:09 +00:00
b12f 8743b50f7f
Merge pull request 'forgejo: also reroute ssh traffic for ipv6' (#139) from forgejo/reroute-ssh-ipv6 into main
Reviewed-on: pub-solar/infra#139
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-12 19:38:15 +00:00
Benjamin Yule Bädorf 316ba9ef53
forgejo: also reroute ssh traffic for ipv6 2024-04-12 19:38:15 +00:00
teutat3s afca75441c
Merge pull request 'forgejo: enable repo search (indexer), save login cookie for 365 days' (#142) from feat/forgejo-enable-search into main
Reviewed-on: pub-solar/infra#142
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:42 +00:00
teutat3s 9698c47530
Merge pull request 'mastodon: clean media older than 7 days' (#143) from mastodon/auto-clean-7-days into main
Reviewed-on: pub-solar/infra#143
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-06 16:07:34 +00:00
teutat3s ccb029dde3
Merge pull request 'wireguard: add ryzensun to teutat3s' hosts' (#141) from wireguard/add-ryzensun-host into main
Reviewed-on: pub-solar/infra#141
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-06 16:07:21 +00:00
teutat3s 41e4d3427c
mastodon: clean media older than 7 days
Currently we keep everything for 30 days, which is about 180GB
2024-04-05 23:50:04 +02:00
teutat3s 16e9d476cb
Merge pull request 'docs: include notes regarding rollback in deploy docs, misc updates' (#140) from docs/update-deployment-docs into main
Reviewed-on: pub-solar/infra#140
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 21:39:46 +00:00
teutat3s 3caf085d0b
wireguard: add ryzensun to teutat3s' hosts 2024-04-05 23:32:59 +02:00
teutat3s c5159dd66d
forgejo: enable repo search (indexer), save login
cookie for 365 days instead of default 7 days.
Caveat for the repo indexer is that repository size on disk will grow
by factor of 6. Forgejo repositories currently use 4.7GB on disk, with
3.3GB being a nixpkgs fork.
2024-04-05 23:29:49 +02:00
teutat3s b27f8c1380
docs: include notes regarding rollback in deploy
docs, misc updates
2024-04-05 23:03:43 +02:00
b12f 76ca43142a
Merge pull request 'forgejo: make SSH keys declarative' (#138) from forgejo/ssh-keys-declarative into main
Reviewed-on: pub-solar/infra#138
Reviewed-by: Hendrik Sokolowski <hensoko@noreply.git.pub.solar>
2024-04-05 19:35:55 +00:00
Benjamin Yule Bädorf 16c6aa3b61
forgejo: make SSH keys declarative 2024-04-05 19:35:55 +00:00
teutat3s 315cbf5813
Merge pull request 'fix(nextcloud): define a maintenance window' (#135) from chore/nextcloud-config-maintenance-window into main
Reviewed-on: pub-solar/infra#135
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 18:41:17 +00:00
b12f 9191729f5c
Merge pull request 'nachtigall: forgejo: update firewall settings' (#137) from fix/git-forgejo-open-service-port-in-firewall into main
Reviewed-on: pub-solar/infra#137
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-04-05 16:51:36 +00:00
Hendrik Sokolowski b6b8d69852
nachtigall: forgejo: update firewall settings 2024-04-05 18:39:43 +02:00